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Quantum cryptography shows that one can guarantee the secrecy of correlation on the sole basis 
of the laws of physics, that is without limiting the computational power of the eavesdropper. The 
usual security proofs suppose that the authorized partners, Alice and Bob, have a perfect knowledge 
and control of their quantum systems and devices; for instance, they must be sure that the logical 
bits have been encoded in true qubits, and not in higher-dimensional systems. In this paper, we 
present an approach that circumvents this strong assumption. We define protocols, both for the 
case of bits and for generic d-dimensional outcomes, in which the security is guaranteed by the very 
structure of the Alice-Bob correlations, under the no-signalling condition. The idea is that, if the 
correlations cannot be produced by shared randomness, then Eve has poor knowledge of Alice's and 
Bob's symbols. The present study assumes, on the one hand that the eavesdropper Eve performs only 
individual attacks (this is a limitation to be removed in further work), on the other hand that Eve 
can distribute any correlation compatible with the no-signalling condition (in this sense her power is 
greater than what quantum physics allows). Under these assumptions, we prove that the protocols 
defined here allow extracting secrecy from noisy correlations, when these correlations violate a Bell- 
type inequality by a sufficiently large amount. The region, in which secrecy extraction is possible, 
extends within the region of correlations achievable by measurements on entangled quantum states. 



I. INTRODUCTION 



Quantum physics has been shown to provide a means 
to distribute correlations at a distance, whose secrecy can 
be guaranteed by the laws of physics, without any as- 
sumption on the computational power of the eavesdrop- 
per. This is the nowadays largely studied field of quan- 
tum cryptography (or quantum key distribution, QKD), 
the most mature development of quantum information 
science [1]. The fact itself, that quantum physics can be 
used to distribute secrecy, is safe: if the authorized part- 
ners share a maximally entangled state, then secrecy is 
definitely guaranteed. But of course, one must verify that 
secrecy is not immediately spoiled by any small departure 
from this ideal case; this is why much theoretical research 
has been devoted to the derivation of rigorous bounds for 
the security of quantum cryptography [2]. Still, a lot of 
questions remain unsolved: for instance, the theorists, 
who find security proofs, and the experimentalists, who 
realize devices, tend to make different and often incom- 
patible assumptions when figuring their schemes out. 

In particular, an assumption in theoretical proofs has 
gone unnoticed until recently [3,4]: one assumes that the 
logical bits are encoded in quantum systems whose di- 
mension is under perfect control (generally, qubits) . Why 
do we question this assumption? First, because it is 
interesting in itself to ask, whether one can remove an 
assumption, that is, whether one can base the studies 



of security on weaker constraints. Second, because side 
channels are a serious issue in practical quantum cryp- 
tography. Experimentalists have to be careful that, when 
they encode (say) polarization, they encode only polar- 
ization, and that the device does not change the spec- 
tral line, or the spatial mode, or the temporal mode of 
the photon as well. Third, because it is important for 
practical reasons: quantum cryptography is becoming a 
commercial product. If a security expert recommends a 
quantum cryptography device, he should be able to as- 
sess that the device acts as it should with "reasonable" 
means. After all, the eavesdropper Eve could be herself 
the provider of the device! 

Anyone faced with this scenario feels at first that, if 
Eve is allowed to sell you the devices and you cannot 
know them in detail, there is no hope for security. Sur- 
prisingly, recent advances in quantum information sug- 
gest that this despair, reasonable as it is, may be too 
pessimistic. Let's see where the hope lies, and which as- 
sumptions are really crucial. 

The scheme to distribute correlations we have in mind 
is represented in Fig. 1. In Alice's and Bob's laboratories, 
the dark grey square represents the device possibly pro- 
vided by Eve. The distribution of correlations is made in 
three steps. In the first step, both laboratories are open 
to the signal that correlate them. This signal comes ei- 
ther from outside, or is emitted by Alice's device to Bob's, 
or viceversa: in any case, it must be assumed to be un- 
der Eve's full control. In the second step, the laboratories 
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are completely sealed, an obviously necessary condition 
as we are going to see. On the device that reads the 
signal, Alice and Bob must have a knob, which allows 
them to choose among at least two alternatives (in usual 
QKD, this is for instance the choice of the basis). It is 
obviously necessary to assume that no information about 
the position of the knob leaks out of Alice's and Bob's 
laboratories (in QKD, if Eve would know the basis, she 
can measure the state without introducing errors). Now, 
conditioned on the choice of an input (a position of the 
knob, labelled x for Alice and y for Bob), an output is 
produced (a for Alice, b for Bob). The lists of a and 
b constitute the raw key. How can there be some se- 
crecy in this raw key? The insight from quantum physics 
is that the outputs may be not under the provider's con- 
trol: if the probability distribution of the outputs violates 
some kind of Bell inequality, then by definition those out- 
puts have not been produced by shared randomness — 
in other words, the correlations have been produced by 
the measurements themselves, and did not pre-exist to 
them. They could have been produced by communica- 
tion, if information about the inputs x and/or y would 
have propagated between Alice and Bob; but we have 
insisted on the no-signalling assumption: no information 
about x and y should leak out of Alice's and Bob's lab- 
oratories respectively [5]. The third step is usual: Alice 
and Bob can make classical data processing in order to 
distill a fully secret key. 



Alice Bob 




FIG. 1. A pictorial description of the no-signalling assump- 
tion in our context. The dark grey boxes in Alice's and Bob's 
laboratories are the devices provided by Eve. In a first step, 
the laboratories are open for the signal that correlates them 
(grey spheres). The arrows on the channel indicate that it 
is not important whether this signal comes from outside, or 
is emitted by Alice's device to Bob's, or viceversa: in any 
case, it is under Eve's control. What is important, is that 
the inputs (x, y) have not been chosen yet. In a second step, 
the laboratories are absolutely closed: no leakage of informa- 
tion about the inputs (x, y) or the outputs (a, b) is allowed. 
In a third step (not shown), Alice and Bob can carry out the 
usual procedures of error correction and privacy amplification 
by communicating on an authenticated channel. 



The reasoning above is exactly the intuition that 
led Ekert to discover (independently of previous works) 
quantum cryptography in 1991 [6]. Ekert 's work con- 
tains in nuce the idea of a device-independent security 
proof, it should be possible to demonstrate that a proba- 
bility distribution, which violates some Bell inequality, is 
secure by this very fact, without any reference to the for- 
malism of quantum physics. Of course, in physics as we 
know it today, a Bell inequality can only be violated with 
entanglement: that is why people immediately used the 
quantum formalism to study Ekert's intuition [7]. But 
recently, tools have been developed, that allow one to 
study no-signalling distributions in themselves, without 
the formalism of Hilbert spaces. It is then possible to 
come back to the original intuition by Ekert, and try and 
prove security only through the violation of a Bell-type 
inequality. This is the theme of the present paper. 

Since we need to introduce in more detail the tools 
used in this work, we do this in Section II and postpone 
the outline of the paper to paragraph II D. 



II. CRYPTOGRAPHY IN THE NO-SIGNALLING 
POLYTOPE 

This first section introduces the language and the tools 
which are needed in a general framework. We focus from 
the very beginning onto bipartite correlations, i.e. corre- 
lations involving two partners, traditionally called Alice 
and Bob. 



A. Formalization of Bell-type experiments 

The physical situation one must keep in mind is a Bcll- 
type experiment. Alice and Bob receive several pairs of 
entangled quantum particles. On each particle, Alice per- 
forms the measurement x randomly drawn from a finite 
set of wia possibilities; as a result, she obtains the out- 
put a out of a discrete set containing ua symbols. Inde- 
pendently from Alice, Bob performs the measurement y 
randomly drawn from a finite set of tub possibilities; as 
a result, he obtains the output b out of a discrete set con- 
taining n b symbols. Such an experiment is characterized 
by the family of probabilities 

P(a, b, x, y) = P(o, b\x, y) P(x) P{y) . (1) 

There are D — niA ms nA ub such numbers, so each ex- 
periment can be described by a point in a D-dimensional 
space; more precisely, in a region of such a space, 
bounded by the conditions that probabilities must be 
positive and sum up to one. By imposing further restric- 
tions on the possible probability distributions, the region 
of possible experiment shrinks, thus adding non-trivial 
boundaries [8-10]. For our study, three restrictions are 
meaningful. 
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The first restriction is the requirement that the prob- 
ability distribution must be built without communica- 
tion, only with shared randomness. In the literature, 
this has been known as the hypothesis of local hidden 
variables. In our context, these variables are not hidden 
"in nature" (as in the original interprctational debates 
about quantum physics): they may rather be hidden in 
Alice's and Bob's laboratories, in the devices that Eve 
has provided to them. The bounded region, which con- 
tains all probability distributions that can be obtained 
by shared randomness, forms a polytope, that is a convex 
set bounded by a finite number of hyperplanes ("facets"); 
therefore we refer to it as to the local polytope. The ver- 
tices of the local polytope are the points corresponding 
to deterministic strategies, that is, strategies in which 
a = a(x) and b — b(y) with probability one; that is, 
P(a,b\x,y) = 6 ata ( x )6 bib ( y y There are clearly m n / m n B B 
such strategies. The vertices are thus easily listed, but 
to find the facets given the vertices is a computationally 
hard task. The importance of finding the facets is pretty 
clear. If a point, representing an experiment, lies within 
the polytope, then there exists a strategy with shared 
randomness (a local variable model) that produces the 
same probability distribution. If on the contrary a point 
lies outside the local polytope, then the experiment can- 
not be reproduced with shared randomness only. The 
interpretation of the facets of the local polytope is there- 
fore obvious: they correspond to Bell's inequalities. We 
shall call non-local region the region which lies outside 
the local polytope. 

The second restriction is the requirement that the 
probability distribution must be obtained from measure- 
ments on quantum bipartite systems. The bounded re- 
gion thus obtained shall be called the quantum region. 
It is not a polytope, since there is not a finite set of ex- 
tremal points. It is a convex set if one really allows all 
possible measurements on all possible states in arbitrary- 
dimensional Hilbert space [9,11]; if one restricts to the 
measurements on a given state, or even to von-Neumann 
measurements on a Hilbert space with given dimension, 
convexity is not proved in general (although no counter- 
example is known, to our knowledge). Needless to recall, 
the quantum region contains the local polytope, but is 
larger than it: measurement on quantum states can give 
rise to non-local correlations (Bell inequalities are vio- 
lated) . 

The third restriction is the requirement that the prob- 
ability distribution must not allow signalling from Alice 
to Bob or viceversa. The no-signalling requirement is ful- 
filled if and only if Alice's marginal distribution does not 
depend on Bob's choice of input, and viceversa: that is, 
the probability distributions must fulfill 

J2P(a,b\x,y) = P(a\x), (2) 

b 

^P(a,b\x,y) = P(b\y). (3) 

a 



These conditions define again a polytope, the no- 
signalling polytope, which contains the quantum region. 
The deterministic strategies are still vertices for this poly- 
tope; to these, one must add other vertices which rep- 
resent, loosely speaking, purely non-local no-signalling 
strategies. These additional points, sometimes called 
non-local machines or non-local boxes, have been fully 
characterized only in a few cases. 



B. Secrecy of probability distributions 

Here is the question that we are going to address in 
this paper. Alice and Bob have repeated many times 
the "measurement" procedure and share an arbitrary 
large number of realizations of the random variables dis- 
tributed according to P(a, b\x, y). By revealing a fraction 
of their lists, they can estimate whether their probability 
distribution lies in the local polytope or in the non-local 
region. The goal is to study whether Alice and Bob can 
extract secrecy out of their data with this knowledge only. 

To motivate the question, let us consider the best- 
known quantum cryptography protocol, the one invented 
by Bennett and Brassard in 1984 (BB84) [12]. In this 
protocol, a, b e {0, 1} and x, y £ {X, Z} are both bi- 
nary. In the absence of any error, the BB84 proto- 
col distributes perfect correlations when x = y and 
no correlations when x ^ y, that is: P(0,0\X,X) = 
P(l,l\X,X) = \, P(0,0\Z,Z) = P{\,\\Z,Z) = \, 
and P(a,b\X,Z) = p(a,b\Z,X) = \. If Alice and Bob 
have obtained their results by measuring two-dimensional 
quantum systems (qubits), such correlations provide se- 
crecy under the usual assumption that the eavesdropper 
is limited only by the laws of quantum physics [13]. How- 
ever, this distribution can also be obtained with shared 
randomness: if Alice and Bob would share randomly dis- 
tributed pairs of classical bits (rx, rz), they simply have 
to output rz (respectively rx) if they are asked to mea- 
sure Z (respectively X). Thus we see the importance 
of the additional assumption on the physical realization, 
namely, that both Alice and Bob are measuring a qubit, 
and therefore the pair (rx,rz) is not available because 
[X, Z]^0. 

In other words, the correlations of BB84, even in the 
absence of errors, are not secure "by themselves": they 
are secure only provided the quantum degrees of freedom 
are under good control. The question we raised can now 
be put in its true perspective: are there correlations that 
are secure by themselves, by the very fact of being what 
they are, without having even to describe how Alice and 
Bob managed to obtain them from a real channel? 

It turns out that it is easier to tackle this question by 
considering that the eavesdropper Eve is not even limited 
by quantum physics, but only by the no-signalling con- 
straint. This means that Eve can distribute any many- 
instances probability distribution P(a, b\x,y) that lies 
within the no-signalling polytope; Alice and Bob have 
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the freedom of choosing their sequence of measurements 
(x and y respectively) and will obtain the corresponding 
outcomes. By making this assumption, we stand clearly 
on the conservative side: if we can demonstrate that a 
non-vanishing secret key can be extracted against such 
a powerful eavesdropper, then the secret key achievable 
against a "realistic" (i.e., quantum) eavesdropper will be 
at least as long. 

In quantum cryptography, secrecy relies on entangle- 
ment. On which physical quantity can such a strong 
security, as the one we are asking for, rely? The answer 
is: on the non-locality of the correlations, that is, on the 
fact that the correlations cannot be obtained by shared 
randomness [5] . No secrecy can be extracted if Alice and 
Bob share a probability distribution which lies within the 
local polytope, just as no secrecy against a quantum Eve 
can be extracted out of separable states [14,15]. 

C. Individual eavesdropping strategies 

Barrett, Hardy and Kent [3] have shown an example of 
a protocol, in which quantum correlations can provide se- 
crecy against the most powerful attack by a no-signalling 
Eve. This is the first example that one can achieve se- 
curity even against a supra-quantum Eve, showing that 
security in key distribution arises from general features 
of no-signalling distributions rather than from the speci- 
ficities of the Hilbert space structure. However, their ex- 
ample has important limitations: actually, it provides a 
protocol to distribute a single secret bit (thence zero key 
rate) in the case when Alice and Bob share correlations 
that can be ascribed to noiseless quantum states. 

In this paper, we tackle the problem from the other 
side: we don't go straight for security against the most 
powerful adversary, but we follow the same path that was 
followed historically by quantum cryptography, namely, 
we limit the eavesdropper to adopt an individual strategy. 
This means the following: Eve follows the same proce- 
dure for each instance of measurement — that is, she 
is not allowed to correlate different instances. Moreover, 
Eve is asked to put her input z before any error correction 
and privacy amplification. Consequently, any individual 
attack is described of a three-partite probability distri- 
bution P(a, b, e|x, y, z) such that 

P(a, b\x, y)=J2 P ( e l z ) 6 I X < y> e ' z ) • ( 4 ) 

e 

Note that Eve is also limited by no-signalling, that is 
why the left hand side does not depend on z. One can 
see that this is an individual attack by looking at it as 
follows: when Eve gets outcome e out of her input z, she 
sends out the point P(a, b\x, y, e, z). 

Now we demonstrate two similar, important results 
about individual eavesdropping strategies: 

Theorem 1: Eve can limit herself in sending out ex- 
tremal points of the no-signalling polytope. 



Proof. Suppose that an attack is defined, in which one 
of the P(a, b\x, y, e, z) is not an extremal point. Then, 
this point can be itself decomposed on extremal points: 
P(a, b\x,y, e, z) — ^2 x P(X)P(a,b\x,y,e,z,X) where the 
P(a, b\x, y, e, z, A) are all extremal. But the knowledge of 
A must be given to Eve: by redefining Eve's symbol as 
(e, A) — ► e, we have an attack which is as powerful as the 
one we started from, and is of the form (4) while having 
only extreme points in the decomposition. 

Theorem 2: Suppose that Alice and Bob can trans- 
form P(a, b\x,y) into P(a, b\x,y) by using only local 
operations and public communication independent of 
a,b,x,y. Then there exist a purification of P(a, b\x,y) 
that gives Eve as much information as the best purifica- 
tion of P(a, b\x, y). 

Proof. Suppose (4) is the best purification of P from 
Eve's point of view; for clarity, let's use Theorem 1 to say 
that the P(a, b\x, y, e, z) are extremal points. The pro- 
cedure of Alice and Bob can be described as follows: for 
each realization of the variables (a, b, x, y), Alice draws a 
random number and reveals publicly its value j; then, she 
and Bob apply the local transformation Tj on which they 
have previously agreed, transforming x — > Xj, a —* Aj 
etc. Since there is no correlation between j and (e,z), 
each extremal point P e (a, b\x, y, e, z) is transformed into 

P(a, b\x, y, e,z) = J2 P(j)P(Aj, BAX h Y h e, z) 

3 

= Y j P{j)P{e\e,j)P{a,b\x,y,e,z). (5) 

Consequently, P(a, b\x, y) is a mixture of the ex- 
tremal points P(a, b\x, y, e, z) with weight P(e\z) = 
J2j e P{ e \ z )P{j)P{ e \ e ij)- To conclude the proof, just no- 
tice that Eve has been able to follow the full procedure, 
because she has learnt j and the list of the Tj is publicly 
known. Thus, there exist a decomposition of P(a, b\x,y) 
onto extremal points that gives Eve as much information 
as the best decomposition of P(a, b\x, y). 



D. Outline of the paper 



This is all that could be said in full generality. In what 
follows, we study mainly scenarios in which i,t/6 {0, 1}: 
Alice and Bob choose between two possible measure- 
ments. In Section III, we address the case where also 
the outcomes a and b are both binary; apart from para- 
graph HID, all the results of this Section have been an- 
nounced in Ref. [4]. In Section IV, we explore the case 
where both the outcomes are d-valued, in particular for 
d = 3. In both situations, we shall consider an explicit 
protocol for Alice and Bob, without claim of optimality. 
Conclusions and perspectives are listed in Section V. 
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III. BINARY OUTCOMES 

In this Section, we consider m,A = ms = ua = tib = 2; 
that is, a, b,x,y € {0, 1} are all binary. Below, all the 
sums involving bits are to be computed modulo 2. 

A. The polytopes and the quantum region 



where the maximum is reached with the probability dis- 
tribution 

P(a + b = xy\xy) = (10) 

obtained by measuring suitable observables on a maxi- 
mally entangled state. 



In the case of binary inputs and outputs, the local 
and the no-signalling polytopes have been fully charac- 
terized, and their structure is rather simple. A lot (but 
not all) is known about the quantum region too. Under 
no-signalling, the full probability distribution is entirely 
characterized by eight probabilities, therefore all these 
objects live in an 8-dimensional space. 

The local polytope [16,17] has eight non-trivial facets. 
Up to symmetries like relabelling of the inputs and of 
the outputs, they are all equivalent to the Clauser-Horne- 
Shimony-Holt (CHSH) inequality [18]. The representa- 
tive of this inequality reads 

l 

CHSH= P(a + b = xy\xy) <3. (6) 

x,y— 

On each facet lie eight out of the sixteen deterministic 
strategies; these are said to saturate the inequality, be- 
cause by definition they give CHSH = 3. Note that the 
eight points on a facet are linearly independent from one 
another [19]. The deterministic strategies that saturate 
our representative (6) are readily seen to be the following 
ones: 

L i = { a ( x ) = r,b(y) = r} 
L 2 = {a(x) = x + r,b(y) =r} 

L 3 = i a ( x ) = r -, b (y) = V + r } 

L\ = {a(x) = x + r,b(y)=y + r + l} 

where r = 0, 1. 

The no-signalling polytope [10] is obtained from the lo- 
cal polytope by adding a single extremal non-local point 
on top of each CHSH facet. The non-local point on top 
of our representative is defined by 

PR=^S(a + b = xy) . (8) 

This point is the so-called PR-box, invented by Popescu 
and Rohrlich [20] and by Tsirelson [8]. It violates the 
CHSH inequality up to its algebraic limit CHSH = 4. 

About the quantum region: the set of correlations that 
are producible by measuring quantum states is known, 
and corresponds to what can be produced by measure- 
ment on two-qubit states [21]. It is an open question, 
whether the analysis of the marginals can reveal further 
features of the quantum region. The violation of CHSH 
is bounded by 

CHSH(QM) < 2 + V2, (9) 



B. The non-local raw probability distribution 

To study the possibility of secret key extraction, we 
can restrict our attention to the sector of the non-local 
region that lies above a given facet of the local polytope, 
say the representative one for which we have collected 
the tools above. Any point in this sector, by definition, 
can be decomposed as a convex combination of the PR- 
box (8) and of the eight deterministic strategies on the 
facet (7). As shown above, we can assume without loss of 
generality that Eve distributes these nine strategies. We 
shall write pnl (for "non-local") the probability that Eve 
sends the PR-box to Alice and Bob; and p r - the proba- 
bility that Eve sends the deterministic strategy L r . We 
shall also write p L = J2 3 , r P r j = 1 - Pnl- 

The statistics generated by Eve sending the extremal 
points are summarized in the Table I. The reading of 
this Table is pretty clear. For instance, one finds that 
P(a = b = 0\x = y = 0) = p NL /2 + p§ + p% + p§. To ob- 
tain the P(a, b, x, y), one must multiply the entries of the 
Table by P(x)P(y). Since we are supposing that the ex- 
tremal points are sent to Alice and Bob by Eve, the label 
of each point can be considered also as Eve's symbol. 

Finally, we note that using Table I in (6), one finds 

PNL = CHSH-3. (11) 

In other words, pml measures directly the violation of the 
CHSH inequality. It follows that in the quantum region 

Pnl(QM) < V2- 1 w 0.414. (12) 



C. The CHSH protocol for cryptography 

Whenever Eve distributes the PR-box, she has no in- 
formation at all about the bits received by Alice and Bob, 
because of the monogamy of those correlations [10]. On 
the contrary, when she distributes a deterministic strat- 
egy, she has some information, depending on the actual 
cryptographic protocol. The question is thus, which is 
the best procedure to extract a secret key out of the raw 
distribution of Table I? We have no answer in full gener- 
ality; but we can notice a few things and propose a pro- 
tocol which is a reasonable candidate for optimality. A 
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good cryptography protocol should (i) present high cor- 
relations between Alice and Bob, and (ii) reduce Eve's 
information as much as possible. Now, in the raw data, 
we see that Alice and Bob are highly anti-correlated when 
x = y = 1: it is thus natural to devise a procedure that 
allows them to transform these anti-correlations in cor- 
relations. A good procedure reveals as small as possible 
information on the public channel. 

The protocol we propose, and that we call CHSH pro- 
tocol for obvious reasons, is the following: 

1. Distribution. Alice and Bob repeat the measure- 
ment procedure on arbitrarily many instances and 
collect their data. 

2. Parameter estimation. By revealing publicly some 
of their results, they estimate the parameters of 
their distribution, in particular the fraction p NL of 
intrinsically non-local correlations. 

3. Pseudo-Sifting. For each instance, Alice reveals the 
measurement she has performed (x = or x = 1). 
Whenever Alice declares x = 1 and Bob has cho- 
sen y = 1, Bob flips his bit. Bob does not reveal 
the measurement he has performed. This is the 
procedure which transforms anti-correlations into 
correlations while revealing the smallest amount 
of information on the public channel. We call it 
pseudo-sifting, because it enters in the protocol at 
the same place as sifting occurs in other protocols, 
but here all the items are kept. 

4. Classical processing. The details depend on 
whether one considers one-way post-processing 
(" error correction and privacy amplification" , ef- 
ficient in terms of secret key rate) or two-way post- 
processing (" advantage distillation" , inefficient for 
small errors but tolerating larger errors). The two 
cases are discussed separately below. 

After pseudo-sifting, and writing £j = P(y = j), we 
can write the Alice-Bob-Eve distribution splits into two, 
one for each value of x, as given in Table II. It is impor- 
tant to understand the content of these two distributions. 
Suppose Eve has sent out L\ and Alice has announced 
x = in the pseudo-sifting phase. Then Eve knows for 
sure both Alice's and Bob's outcomes, here a = and 
b = 0; and in fact, for x = 0, the strategy L\ gives only 
this result. However, if Eve has sent out L§ and Alice has 
announced x = 0, things are different: Eve still knows for 
sure Alice's outcome (a = 0), but Bob's outcome depends 
on his input, being b = if y = 0, b = 1 if y = 1. Re- 
markably, the roles are exactly reversed for x = 1: in this 
case, produces only a = and 6 = 0; while L\ gives 
a = 0, b = if y = and b = 1 if y = 1. 

In fact, a closer examination of the Tables shows that 
all the eight local point have such a behavior: (i) Alice's 
outcome a is always known to Eve, because the setting 
used by Alice is publicly known, (ii) If a local point pro- 
vides Eve with full information about Bob's outcome b 



when x = 0, the same point leaves her uncertain about b 
when x = 1; and viceversa. We shall come back to this 
interesting feature in paragraph HID. Obviously, Eve's 
uncertainty is maximal when Alice's and Bob's settings 
are chosen at random, therefore we set from now on 

P(x = i) = P(y = j) = ^ = \. (13) 

Note that this situation is different from quantum cryp- 
tography: in the quantum case, Eve's information does 
not depend on the frequency with which each setting is 
used, and in fact Alice and Bob can use almost always the 
same setting, provided they use the other one(s) some- 
times in order to check coherence [22]. 

Now we can understand better the advantage of our 
pseudo-sifting procedure. If neither Alice nor Bob would 
reveal their setting, Eve's information on the determin- 
istic strategies would decrease, but Alice and Bob would 
stay anti-correlated when x = y = 1. If on the contrary 
both Alice and Bob would reveal their setting, Eve would 
have full information on both a and b for every determin- 
istic strategy. The pseudo-sifting procedure corrects for 
the anti-correlation, and keeps some uncertainty in Eve's 
knowledge about Bob's result. 

In summary, Table II contains the probability distri- 
bution Alice-Bob-Eve after pseudo-sifting. Now we must 
study whether one can extract secrecy out of them, using 
classical pre- and post-processing. Before turning our at- 
tention to that, we want to stress a nice feature of the 
distribution we have just obtained. 

D. Uncertainty relations 

Remarkably, the protocol we have defined exhibits a 
feature which is also present in quantum cryptography, 
namely the fact that Eve gains information on a "basis" 
at the expense of introducing errors in the complemen- 
tary one. Here it is precisely. 

Refer to Table II, recalling that £o = £ = 5- The prob- 
abilities p(a 7^ b\x) of error between Alice and Bob when 
x = and x = 1 are respectively 

e AB \o = \ {pI+pI+pI+pI) , (14) 

e AB \i = \ (Pi+p\ +P2+PI) • (15) 

Eve's uncertainty on Bob's symbol, measured by condi- 
tional Shannon entropy, is 

H(B\E, x = 0) = l-(p 1 +p 1 1 +p a 2 + p\) (16) 
H(B\E,x = 1) = 1-(p° 3 +pI+pI+pI) . (17) 

Thus, there appear in our protocol a cryptographic un- 
certainty relation in the form 

H(B\E,x) = l-2e AB \ x+1 . (18) 
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The origin of this relation is rather clear. The pseudo- 
sifting phase of the protocol is optimized to extract cor- 
relations from the non-local strategy (PR-box), but on 
deterministic strategies, the pseudo-sifting has another 
action. Specifically: for L\ and U 2l after pseudo-sifting 
we have b(y = 0) = b(y = 1) = a when x = (no error, 
and Eve knows b), and b(y = 0) ^ b(y = 1) when x = 1 
(error in half cases, and Eve does not know b); for Lg 
and LJ, it's just the opposite. In summary, for each local 
strategy, Eve learns everything only for one Alice's set- 
ting, and for the other an error between Alice and Bob 
occurs half of the times. 

This is the first evidence of an analogue of quan- 
tum mechanical uncertainty relations in a generic no- 
signalling theory. We can now move to the main issue, 
the extraction of a secret key. 

E. One-way classical post-processing 



If we denote by q the probability that Bob flips his bit in 
the pre-processing, then 

p(a, b') = (1 - q)p(a, b = b')+ qp(a, b = b' + 1) . (22) 

These four probabilities allow to compute the mutual in- 
formation I(A : B 1 ) = H{A)-H(A\B'). Turning to Eve: 
before pre-processing, she has full knowledge on Bob's 
symbol for L\ and LJJ, and no knowledge for and L\. 
As a consequence of the fact that Eve knows exactly on 
which items she has full information and on which she 
has no information at all, one has simply 

H(B'\E) = H(B\E) + [1 - H(B\E)] h(q) (23) 

where h is binary entropy. The calculation is of course 
identical for x — 1 and this allows to compute tqk for 
any probability distribution. We focus explicitly on two 
cases. 



1. Generalities 

For one-way classical post-processing, the bound for 
the length of the achievable secret key rate under the 
assumption of individual attacks is the Csiszar-Korner 
(CK) bound [23,24]. In the case where Eve's knows more 
about Alice's symbol than about Bob's, as is the case 
here, the CK bound reads 

Rck= sup [H(B'\E,T) - H(B'\A,T)] (19) 

(B',T)<-B 

where B — > (B',T) is called pre-processing: from his ini- 
tial data B, Bob obtains some processed data B' that he 
does not reveal, and some other processed data T that 
are broadcasted on a public channel. For classical distri- 
butions, bitwise pre-processing is already optimal [23,24]. 
In this paper, we have not explored the possible use of T: 
in this case, the pre-processing reduces to flipping each 
bit with some probability q. Consequently, we'll have an 
estimate rcK < Rck for the achievable secret key rate. 
Recalling the link I(X : Y) = H(X) - H(X\Y) between 
Shannon entropies and mutual information, we write our 
estimate for the CK bound as 

r CK = max [l(A : B') - I(B' : E)] 



J2 max [I(A 

x=0,l 



B'\x) - I(B' : E\x)\ . (20) 



Let's sketch the computation explicitly for x = (for 
conciseness, we omit to write this condition in the for- 
mulae below). In Table II, one reads for p(a, b): 



p(0,0) 
P(0,1) 
P(1,0) 

p(M) 



PNL _j 

2 

pI+pI 

2 



P? 



(21) 



2. Isotropic distribution 

Let's consider an isotropic probability distribution, 
that is, a distribution of the form 



P(a,b\x,y) = 



PNL K( , U \ 1 PL 

d(a + b = xyj + — 



(24) 



This necessarily implies p r - = Pl/8 for all j, r, since recall 
that the Lj are linearly independent. Note that the point 
of highest violation in the quantum region (10) is of this 
form, with p^L = V% — 1- 

Remarkably, Alice and Bob can transform any distri- 
bution with a given patl to the isotropic distribution de- 
fined by the same pnl with local operations and pub- 
lic communication, a procedure called "depolarization" 
[25]. This implies that the results of this paragraph are 
in some sense generic. In fact, by Theorem 2 of para- 
graph IIC, Eve's best individual eavesdropping strategy 
for a fixed value of pnl consists in preparing an isotropic 
distribution. Alternatively, we can modify the protocol 
to add the fact that Alice and Bob apply systematically 
the depolarization procedure. 

For isotropic distributions, the two tables for x = 
and x = 1 become identical, and we can rewrite them 
as Table III. In this Table, we have changed the nota- 
tion for Eve's knowledge, and have written (a, b) when 
Eve knows both outcomes, (a, ?) when she knows only 
Alice's, and (?, ?) when she knows none. 

This distribution has p(a = 0) = p(a = 1) = |. Be- 
fore pre-processing, the error between Alice and Bob is 
&ab — Pl/A] after pre-processing, the quantity to be cor- 
rected in error correction is e' AB = (l—q)eAB+q(]-—eAB)- 
Eve's information is ^[1 — h(q)]. Thus 



= p -^+p\+p\ + P -^ 



tck — max 
<?e[o,i] 



i-M^ B )-f [1-%)] 



(25) 
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This quantity is plotted in Fig. 2 as a function of the dis- 
turbance D defined by p NL = \/2(l - 2D) - 1. This 
parameter characterizes the properties of the channel 
linking Alice and Bob: it is therefore useful for com- 
parison with a quantum realization of the CHSH proto- 
col and with BB84, see IIIG and Appendix A. We see 
that r CK > for D < 6.3% that is p NL > 0.236 for 
the optimal pre-processing. Without pre-processing, the 
bound becomes pnl ^ 0.318. The important remark 
is that both these values are within the quantum region 
(12). This means that using quantum physics, one can 
distribute correlations which allow (at least against in- 
dividual attacks) the extraction of a secret key without 
any further assumption about the details of the physical 
realization. 



3. Reaching the Bell limit 

Another interesting example deals with the following 
question: can one find one-parameter families of prob- 
ability distributions for which Rck > as soon as 
Pnl > 0; that is, distributions for which one can ex- 
tract a secret key out of one-way processing, down to the 
limit of the local polytope? The answer is yes, and this 
can be achieved even without pre-processing. Here is an 
example: set p\ = p\, p\ = p\, and pjj 4 = 0. For both 
x = and i = lwe have p{a = 0) = p(a = 1) = \. For 
x = 0, Alice and Bob make no errors (e^io = 0), and 
Eve's information is I(B : E\x = 0) = pl; for x = 1, the 
errors of Alice and Bob are eAB\i — ^ an d Eve has no in- 
formation. In summary, even neglecting pre-processing, 

rcK = l-\h(p L /2)- P -± (26) 

which is strictly positive in the whole region p^ < 1. 

Note that the distributions described here cannot be 
broadcasted using quantum states. The reason is that the 
quantum intersection with the non-local region is strictly 
inside this region, where "inside" means that, as soon as 
Pnl > 0, all the p r must be non zero, because the L r are 
linearly independent. On the contrary, here we have set 
Pg 4 = 0. Anyway, in spite of the fact that we are not 
able to broadcast this distribution with known physical 
means, it is interesting to notice that there exists a fam- 
ily of probability distributions that can lead to a secret 
key under one-way post-processing, for any amount of 
non-locality. 

F. Two-way classical post-processing 

1. Advantage distillation (AD) 

Contrary to the one-way case, no tight bound like the 
Csiszar-Korner bound is known when two-way classical 
post-processing is allowed; nor is the optimal procedure 



known. The best-known two-way post-processing is the 
so-called advantage distillation (AD). Forgetting about 
pre-processing, one can see the effect of AD as follows: 
starting from a situation where I(A : B) < I(B : E), one 
makes a processing at the end of which the new variables 
satisfy I(A : B) > I(B : E); at this point, one applies 
the one-way post-processing. 

In AD, Alice reveals N instances such that her N bits 
are equal: = ... = ai N = a. Bob looks at the same 
instances, and announces whether his bits are also all 
equal. If indeed b il = ... = bi N — (i, which happens with 
probability (1 — cab) N + e AB' Alice and Bob keep one 
instance; otherwise, they discard all the N bits. Bob's 
error on Alice's symbols becomes 

N / \ N 

~ e AB _ ( e AB \ (r>7 , 

(l-e AB ) N + e- B ~ [i^-b) ■ (27) 

Notice that cab — ► in the limit N — > oo: this means 
that a = (3 almost always, for N sufficiently large. This 
remark is used to estimate Eve's probability of error (see 
below for concrete applications). Typically, one finds 
that Eve's error on Bob's symbols goes as 

e E > C (f(e AB )) N (28) 

with /(.) some function which depends on the probability 
distribution under study. Now, as long as the condition 

f(e AB ) > (29) 
1 - eAB 

is fulfilled, Eve's error at the end of AD is exponentially 
larger than Bob's for increasing N: there exists always 
a finite value of N such that Eve's error becomes larger 
than Bob's. The bound on the tolerable error after AD 
is then computed by solving eq. 29. 

We apply this procedure to the isotropic correlations 
described above (HIE 2), first without pre-processing, 
then by allowing Alice and Bob to perform some bit flip 
before starting AD. We anticipate the result: we find 
that a key can be extracted for pnl^, 0.09; that is, even 
with two way post-processing we are not able to reach the 
Bell limit for isotropic correlations. It is an open ques- 
tion, whether the Bell limit can be reached by a better 
two-way post-processing for the isotropic distribution. 

2. AD without pre-processing 

Wc refer to Table III. We have, as above, eAB = • 
We must now estimate Eve's error on Bob's symbol after 
AD. Eve knows a as soon as she knows one of Alice's sym- 
bols ai k , and recall that asymptotically the guess (3 = a 
is correct. The only situation in which Eve is obliged to 
make a random guess is therefore the case in which all 
the N instances correspond to Eve's symbol (?,?). The 
probability that Eve's guess of Bob's symbol is wrong is 
therefore 
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where the denominator comes from the fact that we must 
condition on the bit's acceptance. Using (29), we obtain 
that secrecy can be extracted as long aspNL > Pl/^ that 
Pnl > 1/5. This is lower than the bound obtained for 
one-way post-processing, as expected. 



3. AD with pre-processing 

The previous bound can be further improved by allow- 
ing Alice and Bob to pre-process their lists before start- 
ing AD. For two-way post-processing, it is not known 
whether bitwise pre-processing is already optimal; but 
we restrict to it in this work. Specifically, we suppose 
that Alice flips her bit with probability qA, Bob with 
probability qs- By inspection, one finds that the proba- 
bility distribution obtained from Table III after this pre- 
processing is the one of Table IV, where we have written 
q = 1 — q. Just by looking at the Table, one can guess 
the interest of pre-processing: the five possible symbols 
for Eve are now spread in all the four cells of the table. 
For instance, Eve's symbol is (0, 0) was present only in 
the case a = b = in Table III, that is, whenever she had 
this symbol Eve had full information; this is no longer the 
case in Table IV. Note also that the roles of qA and qs 
are not symmetric, because only qA mixes the strategies 
for which Eve does not know Bob's symbol. 

The distribution of Table IV is such that 

e> AB = (pnl + y) (lAVB + ^aQb) + ^ • (31) 

The estimate of Eve's error requires some attention. As 
before, we assume that as soon as Eve guesses correctly 
Alice's symbol a, she automatically guesses also (3; so the 
question is, when is Eve uncertain about a, in the asymp- 
totic regime of large N? Of course, inequality (30) still 
holds with e' AB replacing cab\ but this condition is too 
weak here: it does not make any use of the uncertainty 
introduced on Eve's knowledge by the pre-processing. 

Eve's situation now is such that, even if she has a sym- 
bol (a, b) or (a, ?), she cannot be completely sure whether 
a = a or not. Suppose that among her N symbols, Eve 
has no times the symbol (?, ?), n\ times the symbol (0, ?), 
n\ times the symbol (1, ?), n° times the symbol (0, 0), and 
n\ times the symbol (1,1). Eve cannot avoid errors when 
p(a = 0|e) = p(a = l|e), that is when n\ = n\ = m and 
n® = n\ = n 2- We have therefore the bound 

no,rai,"2 

where the sum is taken under the constraint no + 2n\ + 
2n 2 = N, 7 e is the probability that Eve has symbol e con- 
ditioned on the bit's acceptance, and 71 = ^/7(o,?)7(i,?)> 



72 = V7(o,o)7(ia)- % usm g ( n! ) 2 ~ (2n)!/2 2n and sum- 
ming the multinomial expansion, we obtain 

~e' E ^\ (7(?,7) + 271 + 272) N ■ (33) 

Now we must find the expressions for the j e in Table 
IV. Suppose for definitencss that Alice and Bob have 
accepted the bit a = [3 = 0: this happens with prob- 
ability 1 ~2 AB ■ The probability that this happens and 
that Eve has got the symbol (?, ?) is ^^(gAte + 9Ate); 
whence 7,7 ?-> = gj^(M%±MM) . Similarly, the probabil- 

<,-.-; 1 e AB 

ity that Alice and Bob accept the bit and that Eve has 
got (0,?), respectively (1,?), is ^q~A, respectively ^qA, 

whence 71 = Tn~^\ - I n a similar way, one computes 

72. By writing 5 e = (1 — e' AB )j e , we have then 

%,?) = Pnl {q~Aq~B + ffAte) , 

Si = ^-VqXqX, (34) 

h = ^ \fq~A^A\fk~B~k~B 

and the condition for extraction of a secret key becomes 

<5 (?;?) + 2<5! + 2(5 2 > e' AB . (35) 

The optimization over qA and qs can be done numeri- 
cally. The result is that a secret key can be extracted at 
least down to pnl rs 0.09. 

4- Positivity of intrinsic information 

Given a tripartite probability distribution, P(a,b,e), 
an upper bound to the secret-key rate R is given by the 
so-called intrinsic information I (A : B J. E), denoted 
more briefly in what follows by . This function, intro- 
duced in [26], reads 

I(A : B I E) = min I(A : B\E), (36) 

E^E 

the minimization running over all the channels E — > E. 
Here, I(A : B\E) denotes the mutual information be- 
tween Alice and Bob conditioned on Eve. That is, for 
each value of Eve's variable e, the correlations between 
Alice and Bob are described by the conditioned prob- 
ability distribution P(a, b\e). The conditioned mutual 
information I (A : B\E) is equal to the mutual informa- 
tion of these probability distribution averaged over P(e). 
The exact computation of the intrinsic information is in 
general difficult. However, a huge simplification was ob- 
tained in [27], where it was shown that the minimization 
in Eq. (36) can be restricted to variables E of the same 
size as the original one, E. This allows a numerical ap- 
proach to this problem. 

The intrinsic information can be understood as a wit- 
ness of secret correlations in P(a, 6, e). Indeed, a proba- 
bility distribution can be established by local operations 
and public communication if, and only if, its intrinsic 
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information is zero [28] . It is then clear why the positiv- 
ity of the intrinsic information is a necessary condition 
for positive secret-key rate. Whether it is sufficient is at 
present unknown: strong support has been given to the 
existence of probability distributions such that R = 
and I i > 0. These would constitute examples of prob- 
ability distributions containing bound information [29], 
that is non-distillable secret correlations. The existence 
of bound information has been proven in a multipartite 
scenario consisting of TV > 2 honest parties and the eaves- 
dropper [30] . However, it remains as an open problem for 
the more standard bipartite scenario. 

Using these tools, it is possible to study the secrecy 
properties of the probability distribution P(a, 6, e) de- 
rived from the previous CHSH-protocol. A first com- 
putation of its conditioned mutual information gives 
I (A : B\E) — pnl- This result easily follows from Table 
II: when e = (?, ?), that happens with probability Pnl: 
Alice and Bob are perfectly correlated, so their mutual 
information is equal to one. In all the remaining cases, 
e.g. e = (0, 0), Alice and Bob have no correlations. Using 
this observation, one can guess the optimal map E — > E. 
In order to minimize the conditioned mutual information, 
this map should deteriorate the perfect correlations be- 
tween Alice and Bob when e = (?,?). A way of doing 
this is by mapping (0, ?) and (1, ?) into (?, ?), leaving the 
other symbols unchanged [31]. We conjecture that this 
defines the optimal map for the computation of the in- 
trinsic information. Actually, all our numerical evidence 
supports this conjecture. Thus, the conjectured value for 
the intrinsic information is 

"-(•-tK 1 -*^))- <*> 

Interestingly, this quantity is positive whenever pjvl > 0. 
If the conjecture is true, it implies that either (i) it is 
possible to have a positive secret-key rate for the whole 
region of Bell violation, using a new key-distillation pro- 
tocol, or (ii) the probability distribution of Table II rep- 
resents an example of bipartite bound information for 
sufficiently small values of Pnl- 



G. Quantum cryptographic analysis of the CHSH 
protocol 

It is interesting to analyze the CHSH protocol with 
the standard approach of quantum cryptography: Alice 
and Bob share a quantum state of two qubits and have 
agreed on the physical measurements corresponding to 
each value of x and y; Eve is constrained to distribute 
quantum states, of which she keeps a purification. Re- 
cent advances have provided a systematic recipe to find 
a lower bound on the secret key rate, that is, to discuss 
security when Eve is allowed to perform the most general 
strategy compatible with quantum physics (such bounds 
have been called "unconditional security proofs", but it 



should be clear by all that precedes that this wording is 
unfortunate). 

The resulting bound on the achievable secret key rate 
is plotted in Fig. 2. Since the formalism used to compute 
this bound is entirely different from the tools used in the 
present study, we give this calculation in Appendix A. 
It turns out that the CHSH protocol is equivalent to the 
BB84 protocol plus some classical pre-processing. In par- 
ticular, the robustness to noise is the same for both pro- 
tocols. For low error rate, BB84 provides higher secret- 
key rate; however, BB84 cannot be used for a device- 
independent proof, since (as we noticed above) its corre- 
lations become intrinsically insecure if the dimensionality 
of the Hilbert space is not known. 




0.02 0.04 0.06 0.08 0.1 0.12 0.14 

Disturbance D 



FIG. 2. Achievable secret key rate for the CHSH protocol, 
after one-way post-processing: against a no-signalling Eve for 
individual attacks, isotropic distribution (HIE 2) and against 
a quantum Eve, in a two-qubit implementation (IIIG). 



IV. LARGER-DIMENSIONAL OUTCOMES 

In this Section, we explore the generalization of the 
previous results to the case of binary inputs and d-nary 
outputs: vtla — tub — 2, riA — Ub — d; that is, 
x, y € {0, 1} and a, b G {0, 1, d — 1}. Below, all the 
sums involving dits are to be computed modulo d. 

For this study, it is useful to introduce a notation for 
probability distributions and inequalities [32] . While the 
full probability space is 4<i 2 -dimensional, one can verify 
that only 4d(d— 1) parameters are needed to characterize 
completely a no-signalling probability distribution — in 
other words, D = 4d(d — 1) is the dimension of the space 
in which the no-signalling and the local polytopes are em- 
bedded. We choose the {P(a\x), a = 0,1, d — 2; x = 
0, 1} (d— 1 numbers for each value of a;), the {P(b\y),b = 
0, 1, d — 2; y = 0, 1} (d — 1 numbers for each value of 
y), and the {P(a, b\x, y), a, b — 0, 1, d — 2; x, y = 0, 1} 
((d— l) 2 numbers for each value of x, y). This we arrange 
in arrays as follows: 
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A\B 


P(b\0) 


P(b\l) 


P(a\0) 


P{a,b\0,0) 


P(a,b\0,l) 


P(a\l) 


P(a,b\l,0) 


P(a, b\l,l) 



(38) 



Note that this array has 2(d — 1) lines and as many 
columns: information on the values a, b = d — 1 is redun- 
dant for all inputs because of no-signalling. Of course, 
there is no problem in working with the " full" array with 
2d x 2d if one finds it more convenient, provided the ad- 
ditional entries are filled consistently because these pa- 
rameters are not free. 

This notation will also be used for inequalities: in this 
case, the numbers in the arrays are the coefficients which 
multiply each probability in the expression of the inequal- 
ity. Examples will be provided below. 



A. Polytopes and the quantum region 

1. Known characterization 

As one might expect, the characterization of the local 
and the no-signalling polytopes are an increasingly hard 
task, as the dimension of the output increases. 

Numerical studies [17] have provided an unexpectedly 
simple structure for the local polytope for small d: as it 
happened for d = 2, all the non-trivial facets appear to be 
equivalent to the Collins-Gisin-Linden-Massar-Popescu 
(CGLMP) inequality [33,34,17,35] 



h = 



A\B 


-1 


-1 .. 


. -1 





. . 


. 


-1 


1 


1 .. 


. 1 


1 


. . 


. 


-1 





1 .. 


. 1 


1 


1 . . 


. 


-1 





.. 


. 1 


1 


1 . . 


. 1 





1 


.. 


. 


-1 


. . 


. 





1 


1 .. 


. 


-1 


-1 .. 


. 





1 


1 .. 


. 1 


-1 


-1 .. 


. -1 



< 0. (39) 



It is conjectured that all non-trivial facets are equivalent 
to the CGLMP inequality for all d. Anyway, our work is 
independent of the truth of this conjecture: we are go- 
ing to study the possibility of secret key extraction for 
non-local distributions which lie above a CGLMP facet, 
irrespective of whether there exist inequivalent facets or 
not. 

The no-signalling polytope appears to have a richer 
structure than in the case d = 2. All the extremal non- 
local points are generalizations of the PR-box [10]. We 
are interested in those that lie above our representative 
CGLMP facet. The highest violation of CGLMP is pro- 
vided by the extremal point 



PR24 = j5(b-a = xy) . 
whose corresponding array is 



(40) 



PR 2 , d = -- 



A\B 


1 


1 . 


. 1 


1 


1 . 


.. 1 


1 


1 


. 


. 


1 


. 


. . 


1 
1 


n 
u 


1 

1 


. u 


n 
u 


1 

1 


. . u 


1 





. 


. 1 





. 


.. 1 


1 


1 


. 


. 





1 . 


.. 


1 





1 . 


. 






















■• 1 


1 





. 


. 1 





. 


.. 



(41) 



Its violation of the inequality can be rapidly calculated by 
a term-by-term multiplication (a formal scalar product) 
of the two arrays (39) and (41), yielding 



(Id,PR2,d) = 



d-l 
d 



(42) 



However, Pi?2,d is not the only non-local extremal point 
which lies above a CGLMP facet: in fact, for all d! < d, 
there is at least one PR24' above the facet. For in- 
stance, a possible version of Pi?2,2 = PR reads (boldface 
standing for matrices filled with zeros) 



PR = - 



A\B 


1 1 





1 1 





1 


1 





1 





1 


1 


1 

















1 


1 





1 





1 


1 


1 


















(43) 



whence a violation (Id, PR) = \. For d — 3, we shall give 
below (IV C) some additional elements on the structure 
of the no-signalling polytope. 

The boundaries of the quantum region are basically un- 
known to date; it is not even clear whether they coincide 
with all possible results of measurements on two-qutrits 
states. 



2. A slice in the non-local region 

As we said, a no-signalling probability distribution is 
characterized by Ad{d — 1) parameters. However, when 
one reviews the results obtained for the CGLMP inequal- 
ity in the context of quantum physics (see Appendix B for 
all details), one finds that the probability distributions 
associated to the optimal settings belong to a very sym- 
metric family. Specifically, these distributions are such 
that (i) for fixed inputs x and y, P(a 1 b\x,y) depends 
only on A = a — b; and (ii) the probabilities for the dif- 
ferent inputs are related as P(A|0, 0) = P(-A|0, 1) = 
P(-A|1,0) = P(A- 1|1,1). Compactly: 



P(a,b 



A|x,y) = - d p f 



(44) 
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with / = (-l) x+ yA + xy and p f = £ a P(a,6 = a ~ 
/|0,0). The corresponding array is 



A\B 


1 


1 . 


. 1 


1 


1 . 


.. 1 


1 


Po 


P-l ■ 


• P2 


Po 


Pi ■ 


•• P-2 


1 


Pi 


Po ■ 


■ P3 


P-l 


Po ■ 


■ ■ P-3 


1 


P-2 


P-3 ■ 


■ Po 


P2 


P3 ■ 


■ ■ Po 


1 


Po 


Pi ■ 


■ P-2 


Pi 


Po ■ 


■ ■ P3 


1 


P-l 


Po ■ 


■ P-3 


P2 


Pi ■ 


■ ■ Pi 


1 


Pi 


P3 ■ 


■ ■ PO 


P-l 


P-2 ■ 


■ ■ Pi 



■ (45) 



This family defines a slice in the no-signalling poly- 
tope. Note that all the marginals are equal, that is, 
P(a\x) = P (b\y) = 2- Moreover, the d numbers pj de- 
fine uniquely and completely a point P in the slice; thus, 
given the constraint Y^fPf = 1> the slice defined by (44) 
is (d— l)-dimcnsional. A single extremal non-local point 
belongs to the slice, namely Pi?2,d, obtained by setting 
Po = 1 (40); in fact, none of the PRd> with d' < d has 
the correct marginals. 

As it happened for the isotropic distributions for d = 2, 
there exists a depolarization procedure that maps any 
probability distribution onto this slice by local operations 
and public communication, while keeping the violation 
(Id, P) constant. The procedure is given in Appendix C. 
As a consequence, Eve's optimal individual eavesdrop- 
ping, for a fixed value of the violation of the inequality, 
consists in distributing a point in the slice. 



B. Cryptography 

1. The protocol 

We suppose from the beginning p(x = i) = p(y = j) = 
5 . The protocol is the analog of the CHSH protocol de- 
scribed in III C above. When Alice announces x = 1 and 
Bob has measured y = 1, Bob corrects his dit according 
to b — > b — 1. In other words, the pseudo-sifting imple- 
ments A — > A — xy. The Alice-Bob distribution after 
pseudo-sifting, averaged on Bob's settings, becomes in- 
dependent of x (as in the case of isotropic distribution 
for d = 2): 

P(a, a - A\x) = 1 ^ P(_i). + ,a - PA+ 2 !~ A ■ (46) 
y=o,i 

In a protocol with d-dimensional outcomes, Alice and 
Bob can estimate not just one, but several error rates, 
one for each value of A. We have just found that these 
error rates exhibit the symmetry 

e AB (A)=e AB (-A) = P -±±f^. (47) 



As in the case of bits, we think of Eve as sending cither 
a local or a non-local probability distribution. Let's dis- 
cuss in some detail the points which lie on and above a 
CGLMP facet. 



2. Eve 's strategy: local points 



To understand what follows, we don't need a full char- 
acterization of the deterministic strategies that saturate 
the CGLMP inequality Some facts are however worth 
noting; the proof of these statements and some other 
features are given in Appendix D. 

The first fact is that, for d > 2, the number of de- 
terministic points on the CGLMP facet is strictly larger 
than D = 4d(d— 1 ) , the dimension of the local and the no- 
signalling polytope. This implies that, for some points on 
the facet, several decomposition as a convex combination 
of extremal points are possible. 

The second fact is that no extremal deterministic strat- 
egy belongs to the slice (44): to sec it, just recall that 
the marginals in the slice are completely random. Since 
we require the final distribution to belong to the slice, 
Eve must manage to send deterministic strategies with 
the suitable probabilities. As a consequence of the pre- 
vious remark, at least one local point on the slice can be 
obtained by several different decompositions on extremal 
points: we'll have to choose the decomposition that op- 
timizes Eve's information. 

As a third fact, we elaborate on the same idea that 
lead to the uncertainty relations in paragraph HID. We 
know that all deterministic strategics are not equally in- 
teresting for Eve, in fact, two kind of local points are of 
special interest for her: (i) those for which 6(0) = 6(1), 
because Eve knows Bob's symbol when Alice announces 
x = 0, and which we denote by the set £q] and (ii) those 
for which 6(0) = 6(1) — 1, because Eve knows Bob's sym- 
bol when Alice announces x = 1, and which we denote 
by the set L\. In all the other cases, Eve does not learn 
Bob's symbol with certainty. Now, in the complexity of 
the list of deterministic points on the CGLMP facet, a 
remarkable feature appears: 

• There are exactly d 2 points in namely those for 
which a(0) = 6(0) = 6(1) and a(l) can take any 
value. In other words, there are no points on the 
CGLMP facet such that 6(0) = 6(1) but o(0) is dif- 
ferent from this value: whenever Eve learns Bob's 
symbol for x = 0, Alice and Bob make no error for 
x = 0. 

• There are exactly d 2 points in C\, namely those for 
which a(l) = 6(0) = 6(1) — 1 and a(0) can take 
any value. This has a similar interpretation as the 
statement above, in the case x = 1. 
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Now, since the error rate Alice-Bob depends only on 
P(a, b\x, y), and not on the particular decomposition cho- 
sen by Eve to realize this distribution, it is obvious that 
Eve's interest lies in distributing local points that belong 
to £ = Co U C\ as often as possible. For d = 3, we 
shall prove that she can prepare any point in the slice by 
distributing only these kind of local points. Finally, we 
want to introduce a further distinction within £, which 
appears explicitly in the study of d — 3 but may play a 
more general role. We shall call C 3 the subset of £, whose 
points satisfy three out of the four relations a(0) = 6(0), 
a(0) = 6(1), a(l) = 6(0) and a(l) = 6(1) - 1; the comple- 
mentary set, containing the points that satisfy two of the 
relations (o(0) = 6(0) = 6(1) or a(l) = 6(0) = 6(1) - 1), 
is written C 2 . 



3. Eve 's strategy: non-local point 

We have said that, among the extremal non-local 
points which lie above the CGLMP facet, the only one on 
the slice (44) is Pi?2,d- However, it may be the case that 
mixtures of other extremal non-local points lie as well in 
the slice. For d = 3, this is not the case (see Appendix E), 
but we have not been able to generalize this statement. 
In this study, we suppose tentatively that Eve sends a 
unique non-local strategy, namely -Pi?2,d- Under this as- 
sumption, we can define pn l as the probability that Eve 
sends PR%^. To find the expression of pnl, we notice 
that (Id, PR®,d) — should correspond to p^r, = 1, 
and that (Id,L) = for all local points on the CGLMP 
facet, should correspond to p^L = 0. Moreover, pml 
measures the geometrical distance from the facet and is 
therefore an afiine function of the violation of CGLMP. 
Thus for a generic distribution P of the form (45) we 
have 

Pnl = j—^ (Id, P) = 

= -2 + (i - An) $p- A - p a +^ • ( 48 ) 

A=0 ^ ' 

Now we can present the results for the possibility of 
extracting a secret key, starting from a detailed study of 
the case d — 3 (IV C), then generalizing some results for 
arbitrary d (IV D). 



The full slice has a form of an equilateral triangle (Fig. 3), 
whose vertices Va are defined by pa = 1. As mentioned, 
Vo = -Pi?2,3- The vertex V 2 is also a Pi?2,3, the one de- 
fined by 6 — a — xy + 1 with z = 1 — z. On the contrary, 
V\ a mixture of deterministic strategies. The middle of 
the triangle, po = p\ = P2 = ^, is the completely random 
strategy (obtained e.g. when measuring the maximally 
mixed quantum state, the "identity"). 




FIG. 3. The slice (44) of the no-signalling polytope, for 
d — 3. As explained in the text, the full extent of the quan- 
tum region is not known, it is represented by the dotted line 
with question marks. The full line is the part of the quantum 
region we can certainly reach and that we consider in this 
paper. See text for all the other details. 



We are going to focus on the non-local region close to 
V Q (Fig. 4). The intersection with the CGLMP facet is 
the segment po — Pi = \, whose ends are the points la- 
belled M 2 (p = 5, Pi = 0) and M 3 ( Po = f, Pl = ±). 
The decompositions of these mixtures on the extremal 
deterministic strategies are 



M 2 = ^-L,M 3 =^ — L (50) 
Lec 2 Lec 3 



C. Secret key extraction: d — 3 



1. The slice of the polytope 

The slice (44) is 2-dimensional for d — 3, we choose po 
and pi as free parameters; this gives p 2 = 1 — Po — Pi and 

PNL = 2(p -pi)-l. (49) 



where the sets of local points C 2 and £ 3 have been defined 
above. In fact, the decomposition of M3 is unique; con- 
versely, Mi can be decomposed in an infinity of ways (see 
Appendix E), but all the others involve also the points 
that don't belong to £ and are therefore sub-optimal for 
Eve. 
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1 - way (q 
2 — way 



1 - way {q = 0) 
1 , 




FIG. 4. Zoom of Fig. 3 on the non-local region close to 
Vq. For clarity, only the part of the quantum region that 
we consider is represented here. The transverse lines de- 
fine the limits down to which secrecy can be extracted for 
one-way post-processing (without and with pre-processing) 
and for two-way post-processing without pre-processing. In 
the shaded region, the intrinsic information Iy is zero. We 
stress that this figure is an exact plot, not just an "artist 
view". See text for the other details. 

The quantum-mechanical studies (see Appendix B for 
more details) have singled out two non-local probability 
distributions in this region. The first one corresponds 
to the maximal violation of CGLMP using two qutrits, 
Pnl ~ 0.4574: it is noted Q mv and is denned by (B6) 

with 7 = -^2^^. The second one corresponds to the 
highest violation achievable with the maximally entan- 
gled state of two qutrits, pnl ~ 0.4365: it is noted Q me 
and is defined by (B6) with 7 = 1. 



-PL 1 



log 3 2 



(52) 



The curve rcx{q = 0) = is shown in Fig. 4, it clearly 
cuts the quantum region. 

A natural question is, which is the point that maxi- 
mizes rci<{q = 0) under the requirement that the corre- 
lations should belong to the quantum region. In the slice 
under consideration, we find a rate r max (q = 0) ~ 0.09 
trits pa 0.144 bits for the correlations defined by po — 
0.8286, pi = 0.1093. These correlations can be obtained 
by measuring the quantum state 



mi)) = 



i 



(|00)+ 7 |11) + |22» 



(53) 



for 7 pa 0.9875. This state is close to, but certainly dif- 
ferent from, the maximally entangled state. Thus, the 
secret key rate exhibits the same form of anomaly as 
all the other measures of non-locality known to date [45] : 
maximal non-locality is obtained with non-maximally en- 
tangled states. 

We consider now Bob's pre-processing. For one-way 
post-processing, dit-wise pre-processing is already opti- 
mal. A priori, one can define two different flipping prob- 
abilities q + i and associated respectively to 6 — > 6+1 
and 6 — * 6 + 2. But it turns out by inspection that the 
optimal is always obtained for q + i = q~i = q, so we write 
down directly this case. From (51) it is clear that after 
pre-processing 



2. One-way classical post-processing 



-AB 



(+1) 



£b(-D ^ = ^ 



1 o ( 54 ) 



To write down the table for the correlations Alice-Bob- 
Eve, one needs to list explicitly the deterministic points 
that saturate CGLMP and the corresponding informa- 
tion Eve can extract. This is done in Appendix E. The 
result is Table V. It can be verified easily that all the 
probabilities in a row/column sum up to i; moreover, 



eAEi(+l) = eAs(-l) = 



1 -Po 



(51) 



as expected from (47). We have introduced the sym- 
bol ?2 to describe the situation where Eve is uncer- 
tain on Bob's symbol, but only among two possibili- 
ties: this is clearly the case whenever the uncertainty 
derives from a deterministic strategy. In all that fol- 
lows, information is quantified in trits, and we write 
h([v u v 2 ,v 3 ]) = -Ej^iogs^ 

In the absence of pre-processing, Eve has no informa- 
tion with probability pnl, full information with proba- 
bility f, and information l-/i([l/2, 1/2,0]) = l-log 3 2 
with probability Therefore the estimate for the CK 
bound is 



Rcxiq = 0) > r C K = 1 



Po, 



1 - Po 1 - Po - 



whence 



I(A : B') = 1 - h( [1 



g ' 2' 2 



(55) 



Eve's information is computed by recalling that, for any 
local point she sends out, before pre-processing (i) for 
one value of x, she knows perfectly Bob's symbol 6; (ii) 
for the other value of x, she hesitates between two val- 
ues of 6. Pre-processing leaves 6 unchanged with prob- 
ability 1 — 2(7, and sends it to 6 ± 1 with probability q 
each. Therefore, in case (i), Eve's information is low- 
ered from 1 to 1 — h([l — 2q,q,q]) = 1 — hi(q); in case 
(ii), Eve's information is lowered from 1 — /i([i,i,0]) 
to 1 — h([-^-, -^,<z]) = 1 — h 2 {q). Since each case is 
equiprobable, 



I(E:B') = l-~[h 1 (q) + h 2 (q)} 



(56) 



From (55) and (56), we can compute tqk by optimizing 
the value of q. We did the optimization numerically. The 
improvement due to pre-processing is clear in Fig. 4. 
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3. Two-way classical post-processing 



D. Secret key extraction: generic d 



We have also studied the possibility of extracting a 
secret key from the correlations of Table V using AD 
(without pre-processing) . Alice selects N of her symbols 
that are identical, Bob accepts if and only if his cor- 
responding symbols are also identical. The probability 
that Bob accepts is p$ + [cab{+^)] n + [&ab{— 1)]^, and 
consequently 



e AB (±l) 



l-po 
2 



.N 



< + 2(i^) 



N 



1 -Pa 
2 P0 



N 



(57) 



As in the case d = 2, Eve has to make a random guess if 
and only if she has sent Pi?2,3 for all the N instances: 



- an > 1 ( P NL 
e E (±l) > - 

3 \ Po 



N 



(58) 



Thus, a secret key can be extracted using AD as long as 



Pnl > — 2 s -, that is as long as 

5po > 4pi + 3 . 



(59) 



The limiting curve is also plotted in Fig. 4. Its extremal 
points are pnl > \ for p\ — (the same value as ob- 
tained for d = 2) and pnl > h for P2 = 0. 



4- Intrinsic information 



It is straightforward to generalize the map used above 
in the computation of the intrinsic information to the 
d = 3 case. Looking at table V, one has to map all the 
symbols (i, I2) into (?, ?), where i = 0, 1, 2. The obtained 
conditional mutual information reads 



I(A : B\E) = P(?,?) x 



1 - h 



2po ~ PL 1 -Po 1 -Po 
2 -Pl ' 2 - p L ' 2 - p L 



(60) 



This is of course an upper bound to the intrinsic informa- 
tion, since the employed map may not be the optimal one. 
Contrary to what happens in the d = 2 case, this quantity 
vanishes for some points inside the region of Bell viola- 
tion! Indeed, Eq. (60) is zero on the line 5po — 2pi — 3 = 0; 
by changing slightly Eve's map (specifically, she applies 
the map above only with a suitable probability and makes 
nothing in the other cases), it can be verified that the in- 
trinsic information is zero also below the line, that is for 



5p - 2pi - 3 < . 



(61) 



This region overlaps with the non-local region (Fig. 4). 



For generic d, we want to prove that secrecy can be 
generated using quantum states. The statistics Alice-Bob 
can be computed using quantum mechanics, in particular 
the error rates cab(A) of Eq. (47). The question is, how 
to estimate Eve's information: to compute this quan- 
tity exactly, one must describe the points in the CGLMP 
facet in some detail. However, some interesting bound 
can be derived from what we have already said and the 
intuition developed in the study of d = 3. 

Consider first one-way post-processing: the discussion 
of paragraph IV B 2 implies the bound 

I(B:E)<I E = ^ + ^(l-lo Sd 2). (62) 

The bound is reached if and only if Eve distributes strate- 
gies that belong to C, as it happened to be always pos- 
sible for d = 3. Moreover, this bound can also be 
computed from the Alice-Bob distribution only assum- 
ing (48). Consequently we can estimate 

Rc K (q = 0)>r = l-h ({e AB (A)} A ) - I E (63) 

with h the Shannon entropy measured in dits. We have 
studied the r.h.s. numerically for d < 10, for cor- 
relations in the quantum region obtained from states 
that are Schmidt-diagonal in the computational basis, 
\ip) = X)fe=o c fel^^)- The general features that emerge 
are: 

• The maximal value of 1Z achievable in the quantum 
region increases with d, reaching up to 1Z s=s 0.692 
bits for d = 10. 

• The quantum state corresponding to the maximal 
value of 1Z is always such that Ck = Cd-i-k- It 
seems that the overlap r\ of this state with the max- 
imally entangled one decreases with d, but the de- 
crease is very slow (we have 77 = 1 for d — 2, and 
for d = 10 we still have n > 0.998). 

A similar simple approach can be found to explore the 
possibilities of two-way post-processing. We have 



e AB (A) ~ [e^s(A)] < 



max 

A=l,...,d- 



N 



(64) 



and Eve's error is e E ~ 3 Pnl- Consequently, AD will 
certainly work for 



Pnl > max e^A) . 

A=l,...,d-1 



(65) 



All the quantities in this relation can be computed from 
the Alice-Bob correlations alone. As before, we have 
studied this condition numerically, for d < 100. This 
time, we have concentrated on correlations of the form 



P = wP me + 



where P me are the correlations 



obtained when measuring the maximally entangled state 
(this is of course a completely arbitrary choice, but seems 
interesting from the point of view of quantum physics). 
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One observes that, as expected, the use of two-way post- 
processing significantly decreases the value pnl{0) of 
Pnl for which no secrecy can be extracted. Moreover, 
Pnl(0) decreases when d increases, but very slowly; so 
slowly in fact, that it cannot be guessed from the numer- 
ical results whether ultimately pnl(0) — ► for d — > oo. 

In summary, we have obtained a few results for generic 
d. In spite of a large number of assumptions and approx- 
imations (not least the choice of the protocol), we can 
conjecture that secrecy can be extracted from quantum 
non-local correlations for any d; and more precisely, that 
the amount of extractable secrecy increases with increas- 
ing d. 



V. CONCLUSIONS AND PERSPECTIVES 

In conclusion, we have presented a first approach to a 
device-independent security proof for cryptography, ex- 
panding and generalizing the work of Ref. [4] . Under the 
assumption of individual attacks, we have proved that 
a secret key can be extracted from some no-signalling 
probability distributions, using only the very fact that 
they violate a Bcll-typc inequality and cannot therefore 
originate from shared randomness. In particular, noisy 
quantum states can be used to distribute correlations, 
that are non-local enough to contain distillable secrecy: 
so our result is also of practical interest. 

We'd like to finish by raising some of the questions and 
perspectives that are opened by this work. 

• A first objective is to extend our analysis beyond 
the assumption of individual attacks, proving ul- 
timately the security against the most general at- 
tacks by an eavesdropper limited by no-signalling. 
A first step in this direction has been recently de- 
rived [36]. 

• One can make a step further: can one make a 
device-independent proof of security against an 
eavesdropper which would be limited by quantum 
physics? On the side of Alice and Bob, non-locality 
should still be the physical basis for security, be- 
cause there exist no other entanglement witness 
which works independently of the dimension of the 
Hilbert space. On the side of Eve, the requirement 
that she must respect quantum physics is a limi- 
tation, compared to power we gave her in this pa- 
per; so one can hope to obtain a device-independent 
proof with better bounds. 

• In this paper, we have defined protocols which look 
as "natural" for the CHSH and the CGLMP in- 
equalities. But there is no claim of optimality. In 
fact, it is not even proved that the pseudo-sifting 
that we have used is the best way of extracting se- 
crecy from the raw correlations of CHSH-like mea- 
surements (Table I). Other protocols may be bet- 



ter suited for cryptographic tasks, as discussed in 
Ref. [37]. 

• A particular consequence of the previous item is 
worth mentioning in itself. On the one hand, it 
has been proved that all non-local probability dis- 
tributions have positive intrinsic information [25]. 
On the other hand, as mentioned several times in 
this paper, we have not been able to find an ex- 
plicit procedure for extracting a secret key in the 
whole non-local region. This means, either that a 
better procedure does exist, or that non-local dis- 
tributions close to the local limit provide examples 
of bipartite bound information [29,30]. 

• A technical open point, which we mentioned and 
would be very meaningful for the present studies, 
is the characterization of the quantum region in 
probability space for a given number of inputs and 
outcomes. 
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APPENDIX A: LOWER BOUND FOR A 
QUANTUM IMPLEMENTATION OF THE CHSH 
PROTOCOL 

In this appendix, we study the security of the CHSH 
protocol in the standard scenario where Eve is limited 
by the quantum formalism, and Alice and Bob have a 
perfect knowledge on their quantum devices. More pre- 
cisely, Alice and Bob know their Hilbert spaces are two- 
dimensional and they apply the spin measurements that 
produce the largest Bell violation for the noiseless state 
|$+) = -i=(|00) + 1 11)). For instance, Alice and Bob 
measure in the xz plane, their spin measurement being 
defined by the angle 6 with the z axis on the Poincare 
sphere. Alice measures in the 9 = it/ 2 and = 
bases, corresponding to x = 0, 1 respectively, while Bob 
does it in the 9 = 7r/4, 37r/4 directions, corresponding to 
V = 0, 1. 

As shown in Refs [38,39] , the bound for security against 
the most general attacks ("unconditional security") can 
be computed by focusing on " collective attacks" , where 
Eve prepares the same two-qubit state pab on all in- 
stances, but is allowed to make a coherent measurement 
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of her ancillae after error correction and privacy amplifi- 
cation. 

By inspection, or by using the formalism developed in 
Rcf. [38], it can be proved that Eve's optimal strategy 
uses a Bell-diagonal state of the form 



Pab = Ai$+ + A 2 ($~ 



(Al) 



where 4> ± and denote the projectors onto the Bell 
basis 

1 



|<I>±> = — (|00)±|11)) 

|*±) = -L(|oi)±|io)). 



(A2) 



By assumption, Eve holds a purification of each pair: be- 
fore any measurement, the quantum correlations among 
Alice, Bob and Eve are described by the pure state 

\-4>abe)® N where p A B = ^e\"4>){^\abe- 

In the CHSH protocol, Alice and Bob's bases do not 
perfectly overlap: their outcomes are therefore not per- 
fectly correlated even in the case Ai = 1 (perfect channel, 
no Eve): actually, the quantum bit error rate (QBER) 

in this case is Qq = sin 2 (7r/8) = 



1 



l 

V2 



For 



the same channel, the BB84 protocol has zero QBER. 
In the light of this, the meaningful parameter to com- 
pare the two protocols should not be the QBER, but 
a measure of the quality of the channel. We use the 
disturbance, that is the probability that measurement 
outcomes in the same basis agree: in our case, D = 
(+z, -z\pab\ + z, -z)+(-z, +z\pab\ - z, +z) = A 2 +A 4 . 

Now, Alice and Bob measure their local systems, while 
Eve keeps her quantum state. In this scenario, a lower 
bound to the key rate distillable using one-way commu- 
nication protocols has been obtained in [40], 



R-^>R DW =I{A:B)-x(B:E). 



(A3) 



Here, I(A : B) denotes the standard mutual informa- 
tion between Alice and Bob's classical outcomes, while 
\(B : E) is the Holevo quantity for the effective channel 
between Bob and Eve. Indeed, Bob's measurement out- 
come prepares a quantum state on Eve's site (see [40] for 
more details). Contrary to the more standard situation, 
Eve does not know which measurement Bob has applied, 
so she has to sum over the two possibilities. Her states 
read, up to normalization, 



p l E = tr ab 



ABE I 

(A4) 



where i = 0, 1 and \i) e denote the basis elements in the 
direction specified by 6, as above. It is straightforward 
to see that for the CHSH protocol 



I(A : B) = 1 - h 



'l + (Ai- A 4 )/V2 N 



(A5) 



The computation of X {B : E) = S{p E ) - {S{p%) + 
S(p E ))/2, where S(p) denotes the von Neumann entropy 
for a state p, is slightly more involved. However, after 
some patient algebra one can see that the maximum of 
this quantity is obtained, for fixed disturbance, when 



Ai = (1 - Df A 2 = D(l - D) A 4 



(A6) 



which defines Eve's optimal attack. Not surprisingly, this 
attack corresponds to a phase covariant cloning machine 
(see for instance [41]), that optimally clones all the states 
in the xz plane. This attack is also optimal for the stan- 
dard BB84 protocol. 

The obtained critical disturbance for CHSH is D w 
12%. This is larger than the well-known Shor-Preskill 
bound D w 11% for security of BB84 [42]. This bound, 
however, has recently been improved by allowing any of 
the parties, say Alice, to introduce some pre-processing 
of her outcome before the reconciliation [38] . Alice then 
flips her bit with probability q. This local noise worsens 
the correlations between Alice and Bob but it deterio- 
rates in a stronger way the correlations between Alice 
and Eve. For any value of the disturbance there exists 
an optimal pre-processing q(D), depending on the pro- 
tocol, which maximizes the key rate. This explains the 
improvement on the critical disturbance that moves up 
to D w 12.4% both for BB84 and for the CHSH protocol 
described here. 

Actually, the close relation between the CHSH pro- 
tocol and the BB84 protocol is made clear by this pre- 
processing. Let Qb = D and q E be respectively the 
QBER and the pre-processing rate for BB84; and Qc 
and qc denote the same quantities for the CHSH proto- 
col. Note first that the channel defined in (A6) induces 



a QBER Q B = D in BB84, and a QBER Q c 
for the CHSH protocol; whence 



D 
V2 



Qb = V2(Q C - Q ) 



(A7) 



R C ol SH (Qc,a c ) 



It can then be shown that 

Rdw A (Qb, Qb) when the QBERs are related as (A7) and 
when 



q B =Q + -. 

These two relations imply 

Q' = Q c (l - qc) + (1 - Qc)qc 
= Qs(l - q B ) + (1 - Q B )q B ■ 



(A8) 



(A9) 



Consider first for clarity the case qc = 0: the error 
in CHSH due to the non-perfect overlap of the bases 
can be attributed to the application of a pre-processing 
9s = Qo onto the correlations obtained with perfectly 
overlapping bases (indeed, the errors Qo are intrinsic to 
the protocol, and Eve cannot gain anything from them). 
In general, the rates obtained for the CHSH protocol 
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in the standard quantum scenario coincide with those 
derived for the BB84 protocol when the pre-processing 
is optimized under the constraint qs > Qo- If we 
now compare R%w SH (Qc) and R^ 4 (Q B ) for a fixed 
value of D [that is, (A7) holds] and choosing the op- 
timal pre-processing in each case, we find the follow- 
ing. For small error rates, the optimal pre-processing 
on BB84 is smaller than Q ; in other words, even for 
qc = CHSH corresponds to BB84 with an excessive pre- 
processing, whence R%%? H (Q C ) < R^ 4 (Q B )- The op- 
timal pre-processing on BB84 becomes equal to Qo for 
D w 11.7%; from this point on, the optimal qc is larger 
than zero, and the rates for the two protocols become 
identical: Rdw SH (Qc) = Rdw 4 (Qb)- In particular, as 
announced, both become zero for D w 12.4%. 



APPENDIX B: THE CGLMP INEQUALITY IN 
QUANTUM PHYSICS 

The CGLMP inequalities [33] have been the object of 
several studies in the context of quantum physics. Here 
we summarize the results without any proof. 

One unexpected features of CGLMP is the fact that 
the maximal violation is not reached by measurements 
on the maximally entangled state [43]. Also unexpected 
is the fact that the settings that maximize the violation 
are the same for a wide class of states (including the max- 
imal entangled one and the one which gives the maximal 
violation). These are the settings we consider here. We 
label them A and A\ for Alice, B and B\ for Bob: 

A x = {* x (a)} d a Zl , **(a) = S^7=r( e<fc *"l*» ' ( B1 ) 

k=o ^ d 

d-l -ilfbk 

By = {%{b))tl , $y(b) = ]T — =- (e ifc9 *|A» . (B2) 

k=o ^ d 

In operational terms, both Alice and Bob apply first 
global phases in the computational basis, then make a 
quantum Fourier transform (Bob makes the inverse as 
Alice), and finally measure in the new basis and outcome 
the value a or b. 

Consider quantum states that are Schmidt-diagonal in 
the computational basis: 



\yj)=J2ck\kk) 



(B3) 



with c/c £ Ft: on this family, one finds 

j d-l 

P(a,b\x,y) = c k°k' x 



cos 



fe,fe'=0 

~d 



A + 4> x +0y)(k- k') 



(B4) 



with A = a — b. The only freedom left is the choice of 
the four angles <p x and 9 y . The settings we are interested 
in arc defined by 



0. 



7T 

2d 



7T 

2d 



(B5) 



With these settings, (44) holds. 

For the case d = 3, all the interesting states found 
to date are of the form (53). For instance, 7 = 1 is 
the maximally entangled state; the maximal violation 
is obtained for 7 = _ 0.7923 [43]; the largest 

Kullback-Leibler distance from the set of local distribu- 
tions is obtained for 7 w 0.6529 [44]; and we have shown 
above (IV C) that the maximal amount of secret key rate 
under one-way processing is found for 7 w 0.9875. For 
the states |^(7)), the pa — P{a, A — a|0, 0) are: 



Po 
Pi 

P2 



1 , 1+2737 A 



= i 1- 



2+r 



(B6) 



1 4- 1 ~ 2 ^ '\ 



APPENDIX C: DEPOLARIZATION FOR 
ARBITRARY D 

1. The procedure 

Suppose Alice and Bob share initially an arbitrary no- 
signalling probability distribution P(a,b\x,y). The de- 
polarization procedure that brings P in the slice defined 
by (44) is very similar to the one described in Ref. [25] 
for d = 2. It consists of two steps. 

R 

Step 1. Alice chooses k € {0, d~ 1} with probability 
2 and communicates it to Bob on a public channel. Both 
Alice and Bob perform 



a 
b 



This 



implements 
1 



a + k 
b + k ■ 

-> Pi 



(CI) 



which is such that 
Pi(a, b\x,y) = 2 Sfe P( a + b + k\x, y) and is conse- 
quently a function only of A = a — b. 

Step 2. With probability |, Alice chooses one of the 
following four procedures and asks Bob on the public 
channel to act accordingly: 



Proci : 

Proc 2 : 

Proc 3 : 

Proc 4 : 



A : 


do nothing- 


B : 


do nothing 


A : 


x - 


-» x, a — > —a 


B : 


b- 


+ -b + y 


A : 


a - 


-> — a — x 


B : 


y - 


-> y, b — > — b 


A : 


x - 


-» x, a — > a + x 


B : 


y - 


->y,b->b + y 



(C2) 
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where we have written x — 1 — x. This implements 
Pi — ► P 2 such that 

4P 2 (a, 6|0, 0) = Pi (a, 6|0, 0) + Pi (-a, — 6jO, 1) 

+Pi(-a, — fojl, 0) + Pi (a, 6 + 1|1, 1) 
4P 2 (a, 6j0, 1) = Pi (a, 6|0, 1) + Pi (-a, -b + 1|1, 1) 

+Pi(-a,-6|0,0) + Pi(a,6|l,0) 
4P 2 (a,6|l,0) = Pi(a,6|l,0) + Pi(-o- 1, — 6|1, 1) 

+Pi(-a, — 6j0, 0) + Pi (a + 1, b+ 1|0, 1) 
4P 2 (a, 6|1, 1) = Pi (a, 6|1, 1) + Pi (-a, -b + 1|0, 1) 

+Pi(-a - 1, — 6|1,0) + Pi (a + 1, 6|0, 0) . 

Because of the symmetry of Pi, this implies 
P 2 (a, 6|0, 0) = P 2 (-a, -6|0, 1) = P 2 (-a, -6|1, 0) = 
P 2 (a, 6 + 1 1 1 , 1) which is nothing but the definition of 
the slice (44). 



2. Examples 

We said in the main text that none of the extremal 
points of the form PP 2 ,d', with d! < d, is on the slice. 
Let's then consider a realization of PR24' , the one whose 
array is 



A\B 


1 





1 





1 


t d > 





Id' 




















1 


td> 


























(C3) 



where boldface numbers indicate arrays containing all 
ones or all zeros, 1^ is the identity matrix of dimension 
d' x d' , and where Ud> is the d' x d! matrix 



u d . 



/o 1 00 
10 
1 





V 1 








1 

0/ 



(C4) 



The arrays (39) and (C3) allow to compute immediately 
the "scalar product" 



Id,P(d') 



'4 



(C5) 



generalizing the results we gave in the main text for 
d' = 2 and d' = d. 

By following the steps of the depolarization protocol, 
one finds that P(d') goes to the distribution in the slice 
which is given by 



P{d!) — ► P 2 (d') = 



- I Pa 



Pd> = m 



(C6) 



and obviously all the other pf are zero. Using (48), one 
can verify that ^7^, P 2 (rf')^ = 1 — ^7: the violation is pre- 
served. As we said in the main text, this is not peculiar 
to this example, but is a general feature, as we show in 
the next paragraph. 



3. Preservation of the violation of CGLMP 

We want to prove that this depolarization preserves 
the violation of the CGLMP inequality, that is 



(/d,P 2 ) = (Id,P) ■ 



(C7) 



The easiest way is to write down Id as it appeared in the 
original paper [33], namely Id < 2 with 

[d/2]-l 



h= E ( 1_ d^iJ {[^(-fe|o,o)+p(fc|o,i) 

+P(fc|l,0) + P(-fc-l|l,l)] - [P(fc + l|0,0) 
+P(-k - 1|0, 1) + P(-k - 1|1, 0) + P(fc|l, 1)] } 

where P(A\x,y) = P(a — b = A\x,y). The link between 
I d and our definition of Id is provided by 



Id = 



d-l 
2d 



(-2 + I d ) . 



(C8) 



Using the expression of I d , the proof is straightforward. 
In fact, Step 1 keeps by definition all the P(A\x,y) con- 
stant, while Step 2 keeps both sums in [...] constant. 



APPENDIX D: DETERMINISTIC STRATEGIES 
THAT SATURATE CGLMP 

We present here a more detailed study of the extremal 
points that lie on the CGLMP facet, completing what 
has been written in paragraph IV B 2. 

Consider the array which represents the CGLMP in- 
equality Id < 0, eq. (39); here, it is more convenient to 
look at it as having 2d x 2d entries [35]. Let I[i,j] de- 
note an entry of this array. For the deterministic strategy 
{a(0),a(l);6(0),6(l)}, the value of CGLMP is simply ' 

1 

I* = -2+ £ iWx)Xv)] 

x,y—0 

= -2 + S[b(0) > o(0)] + S[a(0) > 6(1)] 

+S[a(l) > 6(0)] - S[a(l) > 6(1)] (Dl) 

where the —2 comes from the marginals of a(0) and 6(0), 
and where S[C] is equal to 1 if condition C is satisfied 
and to otherwise. The inequality is saturated by all 
the strategies such that I d = 0. 
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Consider the points such that 6(0) = 6(1): the last two 
conditions become equal and the 5's compensate each 
other for all a(l), so the only way to saturate the inequal- 
ity is to fulfill both 6(0) > a(0) and a(0) > 6(1) = 6(0); 
whence a(0) = 6(0) = 6(1) as announced in the main 
text. The proof of the analog statement in the case 
6(0) = 6(1) — 1 is similarly done by inspection. One first 
considers 6(0) < d— 1: in this case, 6(1) > 6(0), therefore 
the first two conditions cannot be both fulfilled, what- 
ever a(0) is. One can then easily verify that only the 
choice a(l) = 6(0) leads to a saturation of the inequality. 
The last remaining case is 6(0) = d — 1, 6(1) = 0: it can 
be read directly from the array, and leads to the same 
conclusion. 

So, we have proved the properties of sets £o and C\, 
which consist of d 2 points each; we still have to prove 
that the number of points on the facet is larger than 
D = Ad{d — 1). This is easily done by noticing the fol- 
lowing: the four "natural" relations associated to the 
CGLMP inequality, those that are simultaneously ful- 
filled by PR 2 ,d, are: 



i?i0 



o(0) = 6(0) 

a(0) = 6(l) 
a(l)=6(0) 
a(l) = 6(l)-l. 



(D2) 



Because of the specific pseudo-sifting of our crypto- 
graphic protocol, we grouped them by pairs according 
to Alice's input. But from the standpoint of the inequal- 
ity, any pairwisc grouping is equally meaningful. It can 
indeed be easily verified using (Dl) that all the points 
that fulfill at least two among these relations saturate the 
inequality. There are therefore 4d strategies that fulfill 
three relations, and 6d(d — 2) strategies that fulfill ex- 
actly two relations. In conclusion, by looking only at the 
points that fulfill at least two among the four relations 
(D2), we have already Qd 2 — 8d deterministic points on 
the CGLMP facet, and this number is larger than D for 
d > 2. We note that the list is exhaustive for d — 3 (see 
Appendix E), but not in general. For instance, for d > 5, 
the strategy {a(0) = 4,a(l) = 1; 6(0) = 5,6(1) = 3} ful- 
fills none of the relations (D2), but achieves nevertheless 
I d = 0. 



APPENDIX E: EXPLICIT ANALYSIS FOR D = 3 

1. Deterministic strategies on the facet 

We give here the explicit list of the 30 deterministic 
strategies that saturate CGLMP. We note r = 0, 1, 2. 
The twelve strategies in £ 3 are 



rr 
■^3,1 




= r, b(y) = r} 




j r 
^3,2 


= Mx) 


= r- x,b(y) = 


r} 


-^3,3 


= M x ) 


= r, b(y) = r + 


y} 


■^3,4 


= {a(x) 


= r- x,b(y) = 


r + y-1} 



(El) 
(E2) 



The six strategies in C 2 are 

£o : L 2,i = {a(x) = r + x, b(y) = r} 

C\ : U 22 = {a(x) =r + x, b(y) = r + y + 1} . 

The twelve strategies outside C are: 



(E3) 
(E4) 



rr 

L e,l 


= {a(x) 


= r, b{y) = r 


-y} 






rr 

L e,2 


= Mx) 


= r + x,b(y) 




y} 






= l a (x) 


= r + x,b(y) 


= r — 


y + 


1} 


jr 


= Mx) 


= r-x, b(y) 


= r — 


y + 


1} 



(E5) 



As we said in the main text, the decomposition of M 2 
given in (50) is only one possible decomposition, the one 
which optimizes Eve's information on Bob's symbol. It 
can checked that the general decomposition is defined by 



Mo 



Psj = 

P2,l = 

P r e ,i free, 

Ph = 

pU = 

pIa = 



0. 



Pla = P2 free, 



\-{P r 2+Pll): 
Plf, 

\-{p r 2+fe\ l ) 



(E6) 



There are thus six free parameters {p 2 ,Pl i}, constrained 
of course by the positivity of probabilities (in particular, 
none of these parameters can exceed g). A possible real- 
ization of M 2 is the equiprobable mixture of the eighteen 
points which arc not in C 3 . The choice leading to (50) is 
the equiprobable mixture of the six points in C 2 (p 2 = g , 
implying automatically p r e ■ = 0). 



2. Alice-Bob-Eve correlations 

Having the explicit deterministic strategies, it is a mat- 
ter of patience to derive the Tables for the correlations 
Alice-Bob-Eve. The result is given in Table VI, in which 
we have introduced the notations 



f(p) 



2pi 
3 



2p 2 p , g{p) 



1 -Po 



2p 2P . (E7) 



Note that, in each of the nine cells, the sum of the prob- 
abilities does not depend on the p 2 , as it should: the 
decomposition of M 2 is known only to Eve. Eve is obvi- 
ously interested in maximizing the probability of know- 
ing both symbols, measured by /(p); whence the choice 
p 2 = h made in the main text. 



3. About non-local points that violate CGLMP 

Here, we want to list some non-local points other than 
Pi?2,3, that violate CGLMP, and study their relation 
with the slice (44). 
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Consider first the non-local points equivalent to 
PR2.2 = PR- There are 24 such points in the no- 
signalling polytope: in fact, there a three choices for the 
two outcomes [(0,1), (0,2) or (1,2)] and for each choice 
there are eight PR- like points, obtained as usual by rela- 
belling inputs and/or outputs. By inspection, it can be 
seen that I3 > (in fact, h = \) for our representative 
(39) of ^3, is achieved only by three PR- like points: those 
defined by 

It is readily seen that no mixture of these three strategies 
can belong to the slice (44): to obtain all the marginals 
equal to \ , the only possible mixture is the equiprobablc 
one. This one reads 



A\B 


1 


1 


1 


1 


1 


1 





1 





1 





1 





1 


1 


1 








1 

2 


1 





1 


1 
? 






and is clearly not of the form (45). This negative result is 
important for our study: had such a mixture belonged to 
the slice, Eve would have sent these non-local points, for 
which she would have gained some information (because 
in each case one result is impossible). 

Actually, there is a mixture of non-local points on 
the slice: it is a mixture of other PR2, 3-like strategies, 
which optimize the violation of different representatives 
of CGLMP, and violate our representative by ^3 = |. 
The strategies are those in which b — a is equal to — xy, 
x(2 — y), y(2 — x) and (x + y + l)mod2 (note that this last 
one is indeed a PR2,3'- the non-locality is embedded on 
the fact that the r.h.s. is computed modulo 2, instead of 
modulo 3 as is the case for the others) . The equiprobablc 
mixture of these four strategies is the point po = | and 
Pi — in the slice. Obviously, Eve has no interest in 
sending these strategies instead of the Pi?2,3 which gives 
the maximal violation: in all cases, she is going to learn 
nothing about the outcomes. 

APPENDIX: TABLES 



A\B 


y = 0,6 = 


?/ = 0,6 = 1 


y = 1,6 = 


y = 1, 6 = 1 


x = 0, 
a = 


Pnl/2 (PR) 

p? (£?) 

P°2 (Ll) 
P% (Ll) 


Pl (Ll) 


Pnl/2 (PR) 
P? (Ll) 
pl (Ll) 
pl (Ll) 


pl (Ll) 


x = 0, 
0= 1 


pl (Ll) 


Pnl/2 (PR) 
Pl (Ll) 
Pl (Ll) 
Pl (Ll) 


pl (Ll) 


Pnl/2 (PR) 
Pl (Ll) 
Pl (Ll) 
pl (Ll) 


x = 1, 


Pnl/2 (PR) 






Pnl/2 (PR) 



a = 


P? (£?) 

Pl (Ll) 
r>\ (Ll) 


Pl (Ll) 


P? (L°i) 


Pl (Ll) 
Pl (Ll) 
vl (Ll) 


x = 1, 
a= 1 


Pl (Ll) 


Pnl/2 (PR) 
pl (Ll) 
Pl (Ll) 
Pl (Ll) 


Pnl/2 (PR) 
Pl (Ll) 
Pl (Ll) 
Pl (Ll) 


Pl (Ll) 


TABLE I. Table of the distribution Alice-Bob-Evc for the 
raw data. The entries are the P(a, b\x, y). In parentheses, we 
indicate Eve's symbol. 


x = 


6 = 


6=1 


a = 


Pnl/2 (PR) 
P? (L\) 
Pl (Ll) 
P% (Ll) 
Pki (Ll) 


pki (Li) 

Pko (Ll) 


a = 1 


pki (Li) 

Pko (L\) 


Pnl/2 (PR) 
Pl (Ll) 
Pl (Ll) 
Pko (Ll) 
Pki (Ll) 


x = 1 


6 = 


6=1 


a = 


Pnl/2 (PR) 
Pko (L°) 

pki (Li) 

Pl (Ll) 
Pl (Ll) 


pki (Li) 
pko (Li) 


a = 1 


pki (Li) 

Pko (L° 2 ) 


Pnl/2 (PR) 
Pko (Ll) 

pki (Li) 

Pl (Ll) 
Pl (Ll) 



TABLE II. Probability distributions Alice-Bob-Eve for the 
data after the pseudo-sifting of the CHSH protocol, condi- 
tioned to the knowledge of x = or x = 1. 



[isotropic] 


6 = 


6=1 


a = 


Pnl/2 (?,?) 
Pl/4 (0,0) 
Pl/8 (0,?) 


Pl/8 (0,?) 


a = 1 


Pi/8 (1,?) 


Pnl/2 (?,?) 
Pl/4 (1,1) 
Pl/8 (1,?) 



TABLE III. Probability distribution Alice-Bob-Eve for the 



CHSH protocol, in the case of isotropic distribution. 
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6 = 


6 = 1 


(X — u 


-^—{qAqB + qAqs) (!, '■) 


PNL ( r, , 7Z J_ 7: . „ \ (7 ?^ 

-^-{qAqB + <7a<7bJ (:, :) 




— <?A<?S (U, Uj 


PL r, , r , (ft (\\ 




PL „ .„ /I 1\ 
— <?A<?B (1, lj 


— qAqs (1, lj 




pl ~ , en ?l 

— <?a (u, rj 


— <?a (.0, rj 




^HA (1,?) 


^9A (1,?) 


a = 1 


^(9A9s + gAg s ) (?,?) 


^(gAgs + gA^) (?,?) 




^<M9b (0,0) 


^<7a<? s (0,0) 




^g^s (l, l) 


^UqB (1, 1) 




^Na (0,?) 


^?a (0,?) 




(1,?) 


v -tU (1,?) 



TABLE IV. Probability distribution Alice-Bob-Eve, in 
the case of isotropic distribution, after Alice's and Bob's 
pre-processing. 





6 = 


6 = 1 


6 = 2 


a = 


PW3 (?,?) 
^ (0,0) 

ft-S(o,? a ) 


(0,?2) 


±^(0,? 2 ) 


a = 1 


^ (1,?2) 


Pnl/3 (?,?) 
^ (1.1) 

ft 


^ (1,?2) 


a = 2 


^ (2,?2) 


^ ( 2 ,? 2 ) 


(?,?) 
^ (2,2) 
ft -f (2,?2) 



TABLE V. Probability distribution Alice-Bob-Eve for 



d — 3, after pseudo-sifting, assuming decomposition (50) for 
M2. We indicate by ?2 the case where Eve hesitates among 
two values of Bob's symbol (instead of three). 



X 


6 = 


6 = 1 


6 = 2 


a = 


PW3 (?,?) 
ApS - ") (0,0) 

ff(p2" B ) (0,?2) 


^ (0,?2) 


i^p (0,? 2 ) 


a = 1 


(1,?2) 


PiVL/3 (?,?) 

f{p\- x ) (1, 1) 

SG^"") (1,?2) 


(1,?2) 


a = 2 


±iP (2,?a) 


^ (2,?2) 


pW3 (?,?) 
fipl~ x ) (2,2) 
5(P2 _3; ) (2,?2) 



TABLE VI. Probability distribution Alice-Bob-Eve after 



pseudo-sifting for d = 3 and Alice's setting x, for the general 
decomposition (E6) of M2. 
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